An Adobe zero-day vulnerability in Flash Player that was actively exploited stirred up excitement for admins in the week leading up to June Patch Tuesday.
Adobe released a fix for the zero-day (CVE-2018-5002) and three other vulnerabilities for the Windows client operating system on June 7.
The zero-day exploit launched its attacks from Excel documents sent via email. Users who open these infected Excel attachments on unpatched systems could allow the execution of arbitrary code under the exploited user account.
After the Adobe zero-day issue, the patching workload for administrators is lighter than usual for June Patch Tuesday, with about 50 unique vulnerabilities to correct — including 11 rated critical.
“Our recommendation is the Flash patch — if it already hasn’t been pushed out, [give that] high priority,” said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.
June Patch Tuesday closes about 50 vulnerabilities
Microsoft released an update for the only publicly disclosed vulnerability (CVE-2018-8267) for June Patch Tuesday, which affects the Microsoft scripting engine on all supported versions of Internet Explorer. Attacks can exploit this flaw through a compromised website, or user-contributed ads or content, to take control of the target machine.
On an unpatched system, attackers could execute arbitrary code as the hacked user. Organizations that follow least-privilege rules that restrict the use of higher full permissions will reduce the damage from a breach.
Microsoft’s June Patch Tuesday fixes also closed a remote code execution vulnerability (CVE-2018-8225) that affects all supported versions of Windows. This vulnerability could allow an attacker to compromise systems through a domain name system (DNS) server.
“That would be higher risk for mobile workstations, where it’s likely the system will be accessing an untrusted DNS server through public Wi-Fi,” said Jimmy Graham, director of product management at Qualys, based in Redwood City, Calif.
A memory corruption vulnerability (CVE-2018-8229) in the Edge browser’s Chakra scripting engine would let an attacker exploit an unpatched system through specially crafted websites or user-provided content. The effects depend on the level of privilege on the system.
Spectre vulnerabilities continue
Just when it seemed the Meltdown and Spectre vulnerabilities were winding down, security researchers uncovered another CPU bug. The vulnerability, called Spectre variant 4, is similar to the other speculative execution side-channel vulnerabilities disclosed in January, but they are rated with moderate severity.
Jann Horn, a security researcher at Google’s Project Zero, and Ken Johnson, of the Microsoft Security Response Center, discovered Spectre variant 4 (CVE-2018-3639). This exploit enables malicious actors to read privileged data across trust boundaries.
Microsoft released its ADV180012 advisory in January to assist administrators with closing the exploits from the speculative execution side-channel vulnerabilities. The company continues to update the site, and it added further mitigation instructions to address Spectre variant 4. There are still no active attacks on Meltdown or Spectre, but administrators should install the patches and microcode updates when the CPU manufacturers release them.
For more information about the remaining security bulletins for June Patch Tuesday, visit Microsoft’s Security Update Guide.